trust-dns: set it to NOT be the system resolver for servo
trust-dns recursor is too beta for servo
This commit is contained in:
parent
3a7c9022af
commit
f3cf9e0bed
|
@ -22,6 +22,7 @@
|
||||||
"sane-scripts.stop-all-servo"
|
"sane-scripts.stop-all-servo"
|
||||||
];
|
];
|
||||||
sane.services.dyn-dns.enable = true;
|
sane.services.dyn-dns.enable = true;
|
||||||
|
sane.services.trust-dns.asSystemResolver = false; # TODO: enable once it's all working well
|
||||||
sane.services.wg-home.enable = true;
|
sane.services.wg-home.enable = true;
|
||||||
sane.services.wg-home.visibleToWan = true;
|
sane.services.wg-home.visibleToWan = true;
|
||||||
sane.services.wg-home.forwardToWan = true;
|
sane.services.wg-home.forwardToWan = true;
|
||||||
|
|
|
@ -21,42 +21,36 @@
|
||||||
# - each namespace can use a different /etc/resolv.conf to specify different DNS servers (see `firejail --dns=...`)
|
# - each namespace can use a different /etc/resolv.conf to specify different DNS servers (see `firejail --dns=...`)
|
||||||
# - nscd breaks namespacing: the host nscd is unaware of the guest's /etc/resolv.conf, and so directs the guest's DNS requests to the host's servers.
|
# - nscd breaks namespacing: the host nscd is unaware of the guest's /etc/resolv.conf, and so directs the guest's DNS requests to the host's servers.
|
||||||
# - this is fixed by either `firejail --blacklist=/var/run/nscd/socket`, or disabling nscd altogether.
|
# - this is fixed by either `firejail --blacklist=/var/run/nscd/socket`, or disabling nscd altogether.
|
||||||
{ lib, ... }:
|
{ config, lib, ... }:
|
||||||
|
lib.mkMerge [
|
||||||
{
|
{
|
||||||
# # use systemd's stub resolver.
|
sane.services.trust-dns.enable = lib.mkDefault config.sane.services.trust-dns.asSystemResolver;
|
||||||
# # /etc/resolv.conf isn't sophisticated enough to use different servers per net namespace (or link).
|
sane.services.trust-dns.asSystemResolver = lib.mkDefault true;
|
||||||
# # instead, running the stub resolver on a known address in the root ns lets us rewrite packets
|
}
|
||||||
# # in servo's ovnps namespace to use the provider's DNS resolvers.
|
(lib.mkIf (!config.sane.services.trust-dns.asSystemResolver) {
|
||||||
# # a weakness is we can only query 1 NS at a time (unless we were to clone the packets?)
|
# use systemd's stub resolver.
|
||||||
# # TODO: rework servo's netns to use `firejail`, which is capable of spoofing /etc/resolv.conf.
|
# /etc/resolv.conf isn't sophisticated enough to use different servers per net namespace (or link).
|
||||||
# services.resolved.enable = true; #< to disable, set ` = lib.mkForce false`, as other systemd features default to enabling `resolved`.
|
# instead, running the stub resolver on a known address in the root ns lets us rewrite packets
|
||||||
# # without DNSSEC:
|
# in servo's ovnps namespace to use the provider's DNS resolvers.
|
||||||
# # - dig matrix.org => works
|
# a weakness is we can only query 1 NS at a time (unless we were to clone the packets?)
|
||||||
# # - curl https://matrix.org => works
|
# TODO: rework servo's netns to use `firejail`, which is capable of spoofing /etc/resolv.conf.
|
||||||
# # with default DNSSEC:
|
services.resolved.enable = true; #< to disable, set ` = lib.mkForce false`, as other systemd features default to enabling `resolved`.
|
||||||
# # - dig matrix.org => works
|
# without DNSSEC:
|
||||||
# # - curl https://matrix.org => fails
|
# - dig matrix.org => works
|
||||||
# # i don't know why. this might somehow be interfering with the DNS run on this device (trust-dns)
|
# - curl https://matrix.org => works
|
||||||
# services.resolved.dnssec = "false";
|
# with default DNSSEC:
|
||||||
# networking.nameservers = [
|
# - dig matrix.org => works
|
||||||
# # use systemd-resolved resolver
|
# - curl https://matrix.org => fails
|
||||||
# # full resolver (which understands /etc/hosts) lives on 127.0.0.53
|
# i don't know why. this might somehow be interfering with the DNS run on this device (trust-dns)
|
||||||
# # stub resolver (just forwards upstream) lives on 127.0.0.54
|
services.resolved.dnssec = "false";
|
||||||
# "127.0.0.53"
|
|
||||||
# ];
|
|
||||||
|
|
||||||
services.resolved.enable = lib.mkForce false;
|
|
||||||
sane.services.trust-dns.enable = true;
|
|
||||||
sane.services.trust-dns.instances.localhost = {
|
|
||||||
listenAddrs = [ "127.0.0.1" ];
|
|
||||||
enableRecursiveResolver = true;
|
|
||||||
# append zones discovered via DHCP to the resolver config.
|
|
||||||
includes = [ "/var/lib/trust-dns/dhcp-configs/*" ];
|
|
||||||
};
|
|
||||||
networking.nameservers = [
|
networking.nameservers = [
|
||||||
"127.0.0.1"
|
# use systemd-resolved resolver
|
||||||
|
# full resolver (which understands /etc/hosts) lives on 127.0.0.53
|
||||||
|
# stub resolver (just forwards upstream) lives on 127.0.0.54
|
||||||
|
"127.0.0.53"
|
||||||
];
|
];
|
||||||
|
})
|
||||||
|
{
|
||||||
# nscd -- the Name Service Caching Daemon -- caches DNS query responses
|
# nscd -- the Name Service Caching Daemon -- caches DNS query responses
|
||||||
# in a way that's unaware of my VPN routing, so routes are frequently poor against
|
# in a way that's unaware of my VPN routing, so routes are frequently poor against
|
||||||
# services which advertise different IPs based on geolocation.
|
# services which advertise different IPs based on geolocation.
|
||||||
|
@ -77,3 +71,4 @@
|
||||||
services.nscd.enable = false;
|
services.nscd.enable = false;
|
||||||
system.nssModules = lib.mkForce [];
|
system.nssModules = lib.mkForce [];
|
||||||
}
|
}
|
||||||
|
]
|
||||||
|
|
|
@ -134,6 +134,10 @@ in
|
||||||
default = false;
|
default = false;
|
||||||
type = types.bool;
|
type = types.bool;
|
||||||
};
|
};
|
||||||
|
asSystemResolver = mkOption {
|
||||||
|
default = false;
|
||||||
|
type = types.bool;
|
||||||
|
};
|
||||||
instances = mkOption {
|
instances = mkOption {
|
||||||
default = {};
|
default = {};
|
||||||
type = types.attrsOf instanceModule;
|
type = types.attrsOf instanceModule;
|
||||||
|
@ -202,10 +206,19 @@ in
|
||||||
)
|
)
|
||||||
];
|
];
|
||||||
|
|
||||||
environment.etc."NetworkManager/dispatcher.d/60-trust-dns-nmhook" = lib.mkIf
|
environment.etc."NetworkManager/dispatcher.d/60-trust-dns-nmhook" = lib.mkIf cfg.asSystemResolver {
|
||||||
(lib.any (c: c.enableRecursiveResolver) (builtins.attrValues cfg.instances))
|
|
||||||
{
|
|
||||||
source = "${trust-dns-nmhook}/bin/trust-dns-nmhook";
|
source = "${trust-dns-nmhook}/bin/trust-dns-nmhook";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
sane.services.trust-dns.instances.localhost = lib.mkIf cfg.asSystemResolver {
|
||||||
|
listenAddrs = [ "127.0.0.1" ];
|
||||||
|
enableRecursiveResolver = true;
|
||||||
|
# append zones discovered via DHCP to the resolver config.
|
||||||
|
includes = [ "/var/lib/trust-dns/dhcp-configs/*" ];
|
||||||
|
};
|
||||||
|
networking.nameservers = lib.mkIf cfg.asSystemResolver [
|
||||||
|
"127.0.0.1"
|
||||||
|
];
|
||||||
|
services.resolved.enable = lib.mkIf cfg.asSystemResolver (lib.mkForce false);
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue
Block a user